OpenLDAP Installation, Configuration and Replication

[ /home ] [ /etc/motd ] [ /bin ] [ /etc ] [ /var ] [ /sbin ]
[ /usr/bin/find ] [ Members ]

Introduction

OpenLDAP is, as the name suggests, the primary Open Source implementation of LDAP (Lightweight Directory Access Protocol). LDAP is commonly used for directory-type systems, such as authentication mechanisms, and humble address/telephone directories. If you need a lightweight directory system, OpenLDAP is the way to go. Even though these instructions apply to an OpenLDAP installation on two Gentoo Linux hosts, the principles can be applied to any *nix variant. For example, I've recently performed a similar OpenLDAP implmentation across 7 Solaris 10 servers, and the steps are similar - only paths and the installation source (SunFreeware, of course!) are different.

We'll be configuring two nodes - a primary node which will replicate to a secondary node using slurpd. As usual, the notes are terse and assume that you're a seasoned *nix admin. For further information, the OpenLDAP site has plenty of good documentation.

Installing OpenLDAP

Execute the following commands on both nodes. This will download, configure and make OpenLDAP, as well as check dependencies, and add slapd to the default runlevel. You can skip the first two commands, as here we're just searching for OpenLDAP in portage, followed by a "pretend" emerge.

    
# emerge -s openldap
# emerge -pv net-nds/openldap
# emerge -v net-nds/openldap
# etc-update
# revdep-rebuild
# rc-update slapd default add
    
    

As we'll be using slurpd for replication to the secondary node, execute the following command on the master node only.

    
# rc-update slurpd default add
    
    

Initial Configuration

Now that OpenLDAP is installed, I'll set up a basic OpenLDAP database on the master node. First, we'll go ahead without replication, and populate our LDAP database with some sample data. After this is done, we'll migrate the configuration (and LDAP database) over to the secondary node, and configure replication.

So we'll start with a basic OpenLDAP configuration. This is configured in slapd.conf, which on a Gentoo system (and most other Linux variants) is located in /etc/openldap.

    
# cd /etc/openldap
# cp -p slapd.{conf,orig}
# grep '^[^#]' slapd.conf > slapd.new
# mv slapd.{new,conf}
# vi slapd.conf
# cat slapd.conf
nclude         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
cachesize       10000
suffix          "dc=zazzybob,dc=com"
rootdn          "cn=Manager,dc=zazzybob,dc=com"
rootpw          mysecurepass
checkpoint      1024    5
directory       /var/lib/openldap-data
index   objectClass     eq
   
    

As you can see, this is about as basic a slapd.conf as you'll find. I haven't set up access controls or proper indexing for the purposes of this tutorial - you should! If no access controls are present, the default policy allows anyone and everyone to read everything, but restricts updates (i.e. writes) to the rootdn. This suffices for our needs.

When I'm populating my LDAP database, I create a temporary location for my LDIF files. Make it secure...

    
# mkdir -p 700 /var/ldif
# chown root:root /var/ldif
   
    

The default USE flags on Gentoo have tcpd enabled for OpenLDAP, so ensure your /etc/hosts.allow files are configured (on both nodes) to allow the appropriate access to slapd and slurpd.

We'll now populate our LDAP database on the master node. First, we need to start slapd.

    
# /etc/init.d/slapd start
   
    

OK, we can now begin populating the database. We'll start by configuring our Base DN:

    
# cat /var/ldif/domain.ldif
dn: dc=zazzybob,dc=com
objectclass: dcObject
objectclass: organization
o:  zazzybob.com
dc: zazzybob
# ldapadd -x -D "cn=Manager,dc=zazzybob,dc=com" -W -f /var/ldif/domain.ldif
   
    

Now, we can add our root DN:

    
# cat /var/ldif/root.ldif
dn: cn=Manager,dc=zazzybob,dc=com
cn: Manager
objectClass: organizationalRole
# ldapadd -x -D "cn=Manager,dc=zazzybob,dc=com" -W -f /var/ldif/root.ldif
   
    

Next, our People OU (yes we're creating a database of user information)

    
# cat /var/ldif/ou.ldif
dn: ou=People,dc=zazzybob,dc=com
ou: People
objectClass: organizationalUnit
# ldapadd -x -D "cn=Manager,dc=zazzybob,dc=com" -W -f /var/ldif/ou.ldif
   
    

OK, now our LDAP database is populated with some basic objects. Perform a couple of ldapsearch commands and ensure that all is well. Now, we can move onto replication.

Configuring Replication

First, we'll shut down slapd on the master node

    
# /etc/init.d/slapd stop
   
    

Next, we'll copy our slapd.conf from our master node to our slave node (obviously you shouldn't be able to ssh as root on your system - but this is just a pseudo-command to illustrate what needs to be done).

    
# scp /etc/openldap/slapd.conf root@slave:/etc/openldap
   
    

With that done, we have our two nodes configured as two distinct masters. We want to add replication. So first, on the master, add the following to your slapd.conf:

    
replica         host=slave:389
                binddn="cn=Manager,dc=zazzybob,dc=com"
                bindmethod=simple credentials=mysecurepass
replogfile      /var/lib/openldap-slurp/relpog.log
   
    

Next, add the following to your slave servers slapd.conf

    
updatedn        "cn=Manager,dc=zazzybob,dc=com"
   
    

Now, we can migrate the existing LDAP data over to the slave. So, on the master node:

    
# cd /var/lib
# tar czf /tmp/openldap-data.tar.gz ./openldap-data
# scp /tmp/openldap-data.tar.gz user@slave:/tmp
      
    

Next, on the replica (the slave node):

    
# cd /var/lib
# mv /tmp/openldap-data.tar.gz .
# tar xzpf openldap-data.tar.gz
   
    

OK, get slapd running on the slave node

    
# /etc/init.d/slapd start
   
    

Now bring it up on the master node, remembering to start slurpd too

    
# /etc/init.d/slapd start
# /etc/init.d/slurpd start
   
    

You now have replication up and running!

Testing Replication

The easiest way to test replication is to add an entry into your LDAP database on the master node and ensure that the changes are replicated over the the slave node

    
# cat /var/ldif/person_1.ldif
dn: cn=kevin,ou=People,dc=zazzybob,dc=com
cn: Kevin
sn: Waldron
objectClass: person
telephoneNumber: 03 8 123 4567
# ldapadd -x -D "cn=Manager,dc=zazzybob,dc=com" -W -f ./person_1.ldif
   
    

Now, on the slave node, perform an ldapsearch and check that the new entry has been replicated

    
# ldapsearch -x -LLL -D "cn=Manager,dc=zazzybob,dc=com" -W -b "dc=zazzybob,dc=com" "*"
   
    

All done! You can also check the replication log (under /var/lib/openldap-slurpd/replica) to ensure that replication is working correctly.

If you experience issues, start the various daemons with the highest level of debug turned on, e.g. (for slurpd):

    
# /usr/lib/openldap/slurpd -f /etc/openldap/slapd.conf -d 65535
   
    

The daemon will run as a foreground process, spewing forth debug information that will allow you to resolve issues easily. Remember the -u and -g options to run the process as the correct user/group during your tests, otherwise you may not see permissions issues when you're debugging as root.

Conclusion

This has been a whirlwind tour of OpenLDAP, from package installation through to replication.

Cheers
Kevin Waldron
kevin@zazzybob.com

Disclaimer! - This article is provided for guidance only, and does not replace the relevant official documentation and manuals. I will not be held liable for any hosed systems and/or data.